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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1308. 

1 . This communication is responsive to 5 December 2007 . 

2. The allowed claim(s) is/are 1-21 . 

3. □ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) □ All b)DSome* c) □ None of the: 

1. □ Certified copies of the priority documents have been received. 

2. □ Certified copies of the priority documents have been received in Application No. . 

3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1 ) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1. 84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 
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DETAILED ACTION 

1 . This is in response to the appeal brief filed on 5 December 2007. 

2. Claims 1-21 are pending in the application. 

3. Claims 1-21 have been allowed. 

Allowable Subject Matter 

4. Claims 1-21 are allowed. 

The following is an examiner's statement of reasons for allowance: 
The current application is directed towards a computerized method for reducing the false 
alarm rate of network intrusion detection systems includes receiving, from a network intrusion 
detection sensor, one or more data packets associated with an alarm indicative of a potential 
attack on a target host and identifying characteristics of the alarm from the data packets. The 
characteristics include at least an attack type and an operating system fingerprint of the target 
host. The method further includes identifying the operating system type from the operating 
system fingerprint, comparing the attack type to the operating system type, and indicating 
whether the target host is vulnerable to the attack based on the comparison. 

The closest prior art to the current application is McClure et al U.S. Patent No. 7,152,105 
B2 (hereinafter McClure). McClure is directed towards a system and method provide 
comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, 
including identification of operating system, identification of target network topology and target 
computers, identification of open target ports, assessment of vulnerabilities on target ports, active 
assessment of vulnerabilities based on information acquired from target computers, quantitative 
assessment of target network security and vulnerability, and hierarchical graphical representation 
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of the target network, target computers, and vulnerabilities in a test report. The system and 
method employ minimally obtrusive techniques to avoid interference with or damage to the 
target network during or after testing. 

However, there are differences between McClure and the current application. For 
example, McClure fails to disclose, teach, or suggest "receiving, from a network intrusion 
detection sensor, one or more data packets associated with an alarm indicative of a potential 
attack on a target host". McClure discloses that in order to "force" a response from the target 
computer, an intruder may send a malformed packet to a target port. While this known 
technique increases the likelihood that an open UDP port on the target computer can be 
identified, this technique also substantially increases the likelihood that the malformed packet 
could damage the target computer. Also, firewalls or routers may detect and filter out 
malformed packets, and such packets can alert the target network of an attempted security 
breach. The intelligent UDP port scanning test in accordance with this embodiment of 
the present invention employs an efficient, less intrusive and more accurate method for 
scanning UDP ports on a target computer (McClure at 24:11-26). This passage relates to a 
technique for discovering host computers (live target computers), particularly to a technique for 
applying an Intelligent UDP Port Scanning test to each IP address on a scan list (McClure at 
22:31-38, 23:54, and 24:21-27). McClure discloses packets used to identify an operating system 
(McClure at 17:3618:3; see also McClure at 18:43-44). McClure fails to disclose, teach, or 
suggest "receiving, from a network intrusion detection sensor, one or more data packets 
associated with an alarm indicative of a potential attack on a target host". McClure discloses 
that the packets are RFC-compliant TCP packets (McClure at 14:41-56; see also McClure at 
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16:57-17:4). The RFC-compliant TCP packets, however, are not the malformed packets. The 
use of RFC-compliant TCP packets advantageously reduces the probability that the 
detection packets are blocked by a router or firewall, and greatly reduces the probability that the 
detection packets will cause damage or crashes at the target computer (McClure at 16:62-67). 
That is, the packets greatly reduce the problems associated with the malformed packets. As a 
result, McClure fails to disclose "receiving, from a network intrusion detection sensor, one or 
more data packets associated with an alarm indicative of a potential attack on a target host". 
McClure discloses that in the decision step 730, the process determines whether all the live target 
computers have been processed in TCP full connect scanning or whether all the batches of live 
target computers have been processed in TCP SYN scanning. If all the target computers or 
all the batches of target computers have been processed, the process ends. Otherwise, the 
process proceeds to a TCP service scan routine 740 wherein the process uses a TCP 
service discovery list 742 to identify the TCP service ports to be examined for each target 
computer. As described above, TCP packets are sent to the identified TCP service ports of 
each target computer, and the target computer vulnerability database 714 is updated for 
each target computer in accordance with whether a response is received or is not received 
from each target computer for each TCP service port scanned and using the known 
vulnerability database to obtain the vulnerability information for the particular TCP service ports 
that are determined to be open (McClure at 31:19-36). This passage of McClure also fails to 
disclose "receiving, from a network intrusion detection sensor, one or more data packets 
associated with an alarm indicative of a potential attack on a target host". McClure does not 
disclose, teach or suggest receiving any message from a network intrusion detection sensor, 
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let alone receiving "one or more data packets associated with an alarm indicative of a potential 
attack on a target host". McClure discloses that "TCP packets are sent to the identified TCP 
service ports [identified using TCP discovery list 742] of each target computer, and the target 
computer vulnerability database 714 is updated for each target computer in accordance with 
whether a response is received or is not received from each target computer for each TCP service 
port scanned and using the known vulnerability database to obtain the vulnerability information 
for the particular TCP service ports that are determined to be open" (McClure at 31:28-36). 
Updating a target computer vulnerability database or using a known vulnerability database, 
as discussed above, does not disclose, teach, or suggest receiving anything from a network 
intrusion detection system, let alone receiving from such a network intrusion detection system 
one or more data packets associated with an alarm indicative of a potential attack on a target host. 
As another example, McClure fails to disclose, teach, or suggest "identifying 
characteristics of the alarm from the data packets, including at least an attack type and an 
operating system fingerprint of the target host," "comparing the attack type to the operating 
system type" and "indicating whether the target host is vulnerable to the attack based on the 
comparison". For example, McClure discloses sending messages to a target computer and 
saving responses from the target computer as fingerprints (Id. at 17:29-64). The 
fingerprints are then compared to a known database of fingerprints associated with various 
operating systems and operating system versions (Id. at 17:65-68). According to McClure, 
known fingerprints can be compiled through application of the above methodology to 
various target computers known to have a particular operating system before testing (Id. 
at 17:67-18:3). The remainder of the portion discloses various additional details related to the 
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technique for identifying the operating system disclosed in McClure, including updating of the 
operating system fingerprint database, types of operating system fingerprints, and the types of 
messages that may be sent to the target computer to obtain responses from the target computer 
(Id. at 18:20-50). However, McClure does not appear to disclose, teach, or suggest 
"identifying characteristics of the alarm from the data packets, including at least an attack type 
and an operating system fingerprint of the target host," "comparing the attack type to the 
operating system type" and "indicating whether the target host is vulnerable to the attack based 
on the comparison". 

Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance." 



Application/Control Number: 10/685,726 Page 7 

Art Unit: 2132 

Conclusion 

5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Aravind K Moorthy/ 
Examiner, Art Unit 2131 



/Gilberto Barron Jr/ 

Supervisory Patent Examiner, Art Unit 2132 



